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DETAILED ACTION 

• In view of the Appeal Brief filed on 6/5/2008, PROSECUTION IS HEREBY 
REOPENED. A new ground of rejection is set forth below. 
To avoid abandonment of the application, appellant must exercise one of the 
following two options: 

(1 ) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply 
under 37 CFR 1 .1 13 (if this Office action is final); or, 

(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41 .31 
followed by an appeal brief under 37 CFR 41 .37. The previously paid notice 
of appeal fee and appeal brief fee can be applied to the new appeal. If, 
however, the appeal fees set forth in 37 CFR 41 .20 have been increased 
since they were previously paid, then appellant must pay the difference 
between the increased fees and the amount previously paid. 

A Supervisory Patent Examiner (SPE) has approved of reopening prosecution 
by signing below. 



• Claims 1,2,8-12,16,18, 20-24, 26-29, 31 , and 33-35 remain pending. 



Claim Rejections - 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 
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(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

2. Claims 1 , 8-1 2, 16, 20-24, 26-29, 31 , and 33-35 are rejected under 35 
U.S.C. 102(e) as being anticipated by Pub. No. US 2005/0073982 A1 ("Corneille"). 

Regarding claim 1 , 

Corneille shows in fig. 1 firewall 124 (claimed extensible set of services) in 
customer network 114, which contains the second entity 5000. 

Regarding claim 8, 

Corneille discloses that the first entity 102 corresponds to a business partner 
system (para. 13, It provides a company with wireless personal information 
management (PIM) functionality over general packet radio services (GPRS) or UMTS 
networks to end-users via a secure connection through a connector gateway system) 
and the second entity corresponds to a service activation component 5000, the service 
activation component provides the service to a customer associated with the business 
partner system, the business partner system generates the message requesting service 
for the customer; and wherein the first interface module is further configured to: 
authenticate the business partner system based, at least in part, on information included 
in the message (para. 1 3, The mobile provisioning tool system interfaces allow users to 
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provision mobile devices and manage mobile services, customers, end-users, and 
authorizations; para. 155, After querying the active directory 108, the following checks 
may be performed: a password check, a check of the expiration date of the account and 
a check to see if the account is blocked. If these checks are successful, the mobile 
provisioning tool system 103 may lookup what authorization rights can be assigned 
to the user (security group). Security groups will be maintained in the active directory 
108. Based on the security group, the user will be granted access to only the data and 
functionality that he/she is authorized to access. So, customer users will not have 
access to other customer's data. Consequently, CRM Representatives will not have 
access to all of the functionality provided to Supervisors (Administrators). Although not 
illustrated, if any of the security checks above fail or a cancel button is selected, an 
"Access Denied" screen or page will be generated). 

Regarding claim 9, 

Corneille shows in figs. 2-36 that the first entity 102 includes a plurality of service 
activation components (see numerous screen layouts of figs. 2-36); and wherein the 
system further comprises: a second entity locator configured to obtain information 
associated with the service activation components; and wherein the second interface 
module is further configured to: contact the second entity locator to identify one of the 
service activation components from which to request performance of the service (paras. 
367-371 , the service table 5006 stores the services provisioned for each respective 
user. When a mobile network session is created for a user, the user's rows in this table 
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will be inserted in a session lightweight directory access protocol (LDAP). The server 
table 5008 stores specific details about how the connector gateway application will 
connect to each customer server 5000 that will provide a service to the mobile device 
102. When the connector gateway application is started, the server table 5008 is 
loaded into a memory location on the connector gateway server 104 and will be read to 
determine the customer server 5000 details when a connection will be made between a 
mobile device 102 and remote customer server 5000). 

Regarding claims 1 0 and 21 , 

Corneille discloses that the message includes a subscriber identifier that 
identifies a subscriber on whose behalf the service is being requested (para. 371, 
source IP on the request packet); and wherein the second entity locator is configured to 
map the subscriber identifier to the identified one of the service activation components 
(paras. 367-371 , the service table 5006 stores the services provisioned for each 
respective user. When a mobile network session is created for a user, the user's rows 
in this table will be inserted in a session lightweight directory access protocol (LDAP). 
The server table 5008 stores specific details about how the connector gateway 
application will connect to each customer server 5000 that will provide a service to the 
mobile device 102. When the connector gateway application is started, the server table 
5008 is loaded into a memory location on the connector gateway server 104 and will be 
read to determine the customer server 5000 details when a connection will be made 
between a mobile device 102 and remote customer server 5000). 
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Regarding claim 11, 

Corneille discloses that the connector gateway 104 may use Internet security 
server applications that provide firewall services for enterprise networks. For example, 
the connector gateway 104 may be built on top of Microsoft's Internet Security 
Acceleration (ISA) 2000 Server software, which provides firewall services for enterprise 
networks. ISA Server, an extensible platform that provides security, hardware 
redundancy, and load balancing and may have a comprehensive standard delivery kit 
(para. 352). 

Regarding claims 12 and 22, 

Corneille discloses that the connector gateway 104 may use Internet security 
server applications that provide firewall services for enterprise networks. For example, 
the connector gateway 104 may be built on top of Microsoft's Internet Security 
Acceleration (ISA) 2000 Server software, which provides firewall services for enterprise 
networks. ISA Server, an extensible platform that provides security, hardware 
redundancy, and load balancing and may have a comprehensive standard delivery kit 
(para. 352). 



Regarding claims 16, 23, 24, 31, 33, 34, and 35, 
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Corneille shows in fig. 50 a service gateway 104 in communication with a first 
entity 102 and a second entity 5000, the service gateway comprising: a first interface 
module to receive, from the first entity, a message requesting performance of a service 
(para. 241 , During operation, the connector gateway 104 receives a request for a 
business service (such as Exchange) from an end user) in an extensible set of services 
offered by the second entity (para. 352, The connector gateway 104 may use Internet 
security server applications that provide firewall services for enterprise networks. For 
example, the connector gateway 104 may be built on top of Microsoft's Internet Security 
Acceleration (ISA) 2000 Server software, which provides firewall services for enterprise 
networks. ISA Server is an extensible platform that provides security, hardware 
redundancy, and load balancing and may have a comprehensive standard delivery kit; 
para. 1 32, A plurality of firewalls 124 may also be included on the carrier network 1 10 
and the customer network 114 to provide additional security; Note that the customer 
network 114 contains the second entity 5000. Therefore, second entity 5000 provides 
extensible set of services. See also para. 31 ), the message including a service name 
that corresponds to the service (para. 241 , receives a request for a business service 
(such as Exchange )) and an argument that includes data useful in performing the 
service (para. 371, To determine the customer server 5000, the session table 5010 is 
queried using the source IP on the request packet of the mobile device 102 to get the 
MSISDN); an access control module to: make a first determination of whether the first 
entity is permitted to request performance of the service corresponding to the service 
name (para. 14, The mobile provisioning tool system provides security to prevent 
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users from accessing accounts or services other than their own. Users will access 
the system using credentials stored in an Active Directory (AD), which will restrict the 
user's access to data relevant only to the business roles they are authorized to use; 
para. 33, DNS communication requests are routed to the connector gateway, which 
determines if the user is authorized to access the requested service), make a second 
determination of whether the argument is permitted to be provided by the first entity, 
and make a third determination of whether the argument is permitted to be requested 
for the service corresponding to the service name (Note that the following italicized 
portion of paragraph 129 meets both limitation of second determination and third 
determination, The connector gateway 104 may also provide several technical 
benefits. It can integrate with RADIUS session LDAP to control access based on 
device IP. Service access control may be based on a user profile stored in a secure 
SQL database, which prevents company A user from getting access to company B 
ServerK Note: Thus, a source IP (claimed argument) will have to be determined if it 
correspond to a company A user (claimed first entity) in a SQL database before a 
requested service is granted) : and a second interface module to selectively request 
performance of the service by the second entity based, at least in part, on results of the 
first, second, and third determinations of the access control module (para. 357, The 
connector gateway 104 works by listening for requests from mobile devices 102. When 
a request is received from the mobile device 102, the connector gateway 104 performs 
a lookup to determine which customer server 5000 the connector gateway 104 should 
contact to complete the connection). 
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Regarding claim 20, 

Corneille discloses that the mobile provisioning tool system interfaces allow 
users to provision mobile devices and manage mobile services, customers, end-users, 
and authorizations (para. 13). Corneille further discloses that after querying the active 
directory 108, the following checks may be performed: a password check, a check of 
the expiration date of the account and a check to see if the account is blocked. If these 
checks are successful, the mobile provisioning tool system 103 may lookup what 
authorization rights can be assigned to the user (security group). Security groups 
will be maintained in the active directory 108. Based on the security group, the user will 
be granted access to only the data and functionality that he/she is authorized to access. 
So, customer users will not have access to other customer's data. Consequently, CRM 
Representatives will not have access to all of the functionality provided to Supervisors 
(Administrators). Although not illustrated, if any of the security checks above fail or a 
cancel button is selected, an "Access Denied" screen or page will be generated (para. 
155). 

Regarding claim 26, 

Corneille shows in fig. 1 a service activation component 5000 configured to 
provide the services to the subscribers 102; and a service gateway 104 configured to 
act as a single point of contact between the retailer systems 102 and the service 
activation component 5000, the service gateway 104 providing controlled access, by the 
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retailer systems 102, to the services provided by the service activation component 
5000, the service gateway 104 permitting each of the retailer systems 102 access to a 
subset of the services provided by the service activation component 5000 via the 
controlled access, the service gateway comprising: a first interface module to receive, 
from one of the retailer systems 102, a message requesting performance of one of the 
services by the service activation component 5000 ((para. 241 , During operation, the 
connector gateway 104 receives a request for a business service (such as Exchange) 
from an end user), the message including at least one argument that includes data 
useful for performing the one service (para. 371, To determine the customer server 
5000, the session table 5010 is queried using the source IP on the request packet of 
the mobile device 102 to get the MSISDN), an access control module to: make a first 
determination of whether the one retailer system is permitted to request performance of 
the one service (para. 14, The mobile provisioning tool system provides security to 
prevent users from accessing accounts or services other than their own. Users 
will access the system using credentials stored in an Active Directory (AD), which will 
restrict the user's access to data relevant only to the business roles they are authorized 
to use; para. 33, DNS communication requests are routed to the connector gateway, 
which determines if the user is authorized to access the requested service), make a 
second determination of whether the at least one argument is permissible for the one 
retailer system, and make a third determination of whether the at least one argument is 
valid for the one service (Note that the following italicized portion of paragraph 129 
meets both limitation of second determination and third determination, The 
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connector gateway 104 may also provide several technical benefits. It can integrate 
with RADIUS session LDAP to control access based on device IP. Service access 
control may be based on a user profile stored in a secure SQL database, which 
prevents company A user from getting access to company B ServerH Note: Thus, a 
source IP (claimed argument) will have to be determined if it correspond to a company 
A user (claimed first entity) in a SQL database before a requested service is granted) , 
and a second interface module to selectively interact with the service activation 
component based, at least in part, on the first, second, and third determinations of the 
access control module (para. 357, The connector gateway 104 works by listening for 
requests from mobile devices 102. When a request is received from the mobile device 
102, the connector gateway 104 performs a lookup to determine which customer server 
5000 the connector gateway 104 should contact to complete the connection). 

Regarding claim 27, 

Corneille discloses a firewall service, which is a network service (para. 352). 
Regarding claim 28, 

Corneille discloses that the connector gateway 104 may use Internet security 
server applications that provide firewall services for enterprise networks. For example, 
the connector gateway 104 may be built on top of Microsoft's Internet Security 
Acceleration (ISA) 2000 Server software, which provides firewall services for enterprise 
networks. ISA Server is an extensible platform that provides security, hardware 
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redundancy, and load balancing and may have a comprehensive standard delivery kit 
(para. 352). Corneille further discloses that a plurality of firewalls 124 may also be 
included on the carrier network 110 and the customer network 1 14 to provide additional 
security (para. 132). Note that the customer network 114 contains the service activation 
component 5000. Therefore, service activation component 5000 provides extensible 
set of services. See also para. 31 . 

Regarding claim 29, 

Corneille discloses that the service gateway 104 and the service activation 
component 500 in combination provide a common interface via which the retailer 
systems 102 request one or more of the services provided by the service activation 
component 5000, the combination exposing subsets of the common interface to each of 
the retailer systems by controlling access to the services by the retailer systems, 
(para. 241 , During operation, the connector gateway 104 receives a request for a 
business service (such as Exchange) from an end user; para. 371, To determine the 
customer server 5000, the session table 5010 is queried using the source IP on the 
request packet of the mobile device 102 to get the MSISDN). 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
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the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 2 and 18 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Corneille in view of US 2003/0055968 A1 ("Hochmuth"). 
Regarding claims 2 and 18, 

Corneille shows in fig. 50 an IPsec router. However, Corneille does not explicitly 
disclose that the activation component is configured to configure a router to deliver a 
service. 

Hochmuth discloses reconfiguration may also involve steps such as, but not 
limited to, configuring network devices to move a port on which network resource 42 is 
connected from one cell to another, configuring a router's access control list (ACL) 
and/or other parameters (para. 44). 

It would have been prima facie obvious to one of ordinary skill in the art at the 
time of the invention was made to modify the connector gateway system of Corneille to 
provide a capability to provide router configuration service as taught by Hochmuth. One 
skilled in the art would have been motivated to make the combination to permit or deny 
access to network resource 42 through any network connection, and/or configuring a 
firewall (Hochmuth, para. 44). 



Response to Arguments 

5. Applicant's arguments with respect to claims 1 , 2, 8-1 2, 1 6, 1 8, 20-24, 26-29, 31 , 
and 33-35 have been considered but are moot in view of the new ground(s) of rejection. 
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Conclusion 

6. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to ANTHONY SOL whose telephone number is (571)272- 
5949. The examiner can normally be reached on M-F 7:30am - 4pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Wing Chan can be reached on (571) 272-7493. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



/Anthony Sol/ 
Examiner, Art Unit 2619 
8/22/2008 

/Wing F. Chan/ 

Supervisory Patent Examiner, Art Unit 2619 
8/16/08 



